Computer Forensic Expert Witness: An In-Depth Hiring Guide

computer forensic expert witnessA computer forensic expert witness can inform a trier of fact on a wide array of issues involving computer security. These experts are typically charged with investigating computers and other electronic information storage devices like mobile phones. They can uncover evidence that is useful to either a plaintiff or defendant’s case. Litigation involving divorce, wrongful termination, intellectual property, or computer hacking are just some situations that may require the expertise of the computer forensic expert witness.

Qualities of a Computer Forensic Expert Witness

A computer forensic expert witness is an individual with extensive experience in the field of computer investigation and security. This is often termed eDiscovery, or electronic discovery. This experience is typically rooted in advanced education in engineering or computer science, and a lengthy work history within the information technology industry. Certain computer forensic experts have military training in computer security, data recovery, evidence handling, and computer crime investigation.

A computer forensic expert often works as an instructor at various state departments of justice, teaching law enforcement bodies how to effectively investigate cybercrimes. Many work to develop cybercrime certification courses and computer evidence seizure training curriculums for law enforcement officials.

Certain experts hold information security industry certifications in computer forensics, ethical hacking and network penetration. Such certifications include CEE (Certified Computer Examiner), CISSP (Certified Information Systems Security Professional), GPEN (GIAC Network Penetration Testing), GCIH (GIAC Certified Incident Handler), GSLC (GIAC Security Leadership), CEH (Certified Ethical Hacker), IACIS (International Association of Computer Investigative Specialists), and ACSPC (Advanced Computer Security Professional Certificate).

Often, a computer forensic expert witness serve as members of information security industry organizations. This could be the International Society of Forensic Computer Examiners (ISFCE), the Institute of Electrical and Electronics Engineers (IEEE), or the IEEE Computer Society.

A computer forensic experts typically work alongside private and law enforcement investigators, litigation support firms, government agencies, and corporate security teams, to analyze and enhance computer network security, to investigate vulnerabilities and breaches in security, and to produce evidence admissible in both civil and criminal proceedings regarding their practices.

Practices of a Computer Forensic Expert Witness

Like any other form of evidence, computer evidence produced by a forensic expert must conform to the Federal Rules of Evidence and to the Federal Rules of Civil Procedure to be admissible in court. Computer forensic experts are adept at acquiring electronic evidence through means that conform to these stringent guidelines.

A computer forensic expert’s first step towards producing this evidence is to identify devices that potentially contain information important to a client’s case. Desktop computers, laptops, servers, external hard drives, tablets, smartphones, cell phones, and USB memory devices all store large amounts of data, and can therefore contain important evidence. After a computer forensic expert witness identifies these devices, he or she analyzes them thoroughly. Almost any transaction performed on a computer or over the Internet is discoverable to a computer forensic expert. Even data that appears destroyed or deleted is likely recoverable to these experts, including,

  • Corrupted computer files and emails
  • Reformatted or repartitioned hard drive files
  • Encrypted files
  • Deleted web history logs
  • Files downloaded then deleted
  • Transferred files
  • Viewed files
  • Erased social media dialogues
  • Digital faxes sent or received
  • Backlogged financial records
  • Damaged computer drives or other storage mediums (i.e. surveillance video)


Computer forensic experts can also draw electronic evidence from:

  • E-mail and messages
  • Text messages
  • Voicemails
  • Images
  • Graphics
  • Calendar files
  • Databases
  • Spreadsheets
  • Audio files
  • Websites
  • Floppy Discs, CDs, DVDs
  • The Cloud
  • Camera SD Cards
  • Computer networks


A computer forensic expert witness offers a variety of investigatory services tailored to their clients’ needs, or computing context. For example, it is sometimes impossible for a computer server system, mail server, or individual computer to be rendered offline or separated from its environment. But even without physical access to a client’s computer system, an expert witness can still perform his/her job by drawing evidence from these systems remotely. Using encrypted software, a forensic expert can acquire admissible evidence from a subject-computer regardless of its location. This service is especially useful in time-sensitive situations where risks of spoliation of evidence are present.

Where necessary, an expert can also produce a forensic image of the entire contents of a subject’s computer. This includes any evidence stored on the computer. This electronic reproduction, copied onto the forensic expert’s hard drive, can serve as a representation of a subject’s computer data and history at a certain point in time. This and other data protection techniques such as hard drive cloning to rebuff the effects of evidence tampering. Thus preserving the integrity of important electronic evidence to be provided to the trier of fact.

Attempting to perform certain techniques without the direct oversight of a computer forensic expert can be harmful to a case. Copying, saving, sharing, or even accessing and viewing data that may be used as evidence can alter the metadata attached to that information, such as the time and date the information was last viewed, and even jeopardize whether the evidence will be admissible in court. In order to preserve evidence and its admissibility, consulting a computer forensic expert is vital.

computer forensic expert witnessSpecialties of the Computer Forensic Expert Witness

Business Disputes: Intellectual Property, Employment

Protecting a company’s intellectual property is necessary to maintaining healthy business practices. As more business is conducted electronically, companies are more vulnerable to computer crime (also called cybercrime). Any device, from a company’s mainframe system to an entry-level employee’s cell phone, may contain sensitive or confidential information. A computer forensic expert provides essential insight where this information is compromised. For example in cases involving intellectual property misappropriation or business fraud. These experts unpack the information hardwired onto electronic devices, including data trails, time and date stamps, user data, and even encrypted information. Computer forensic experts that specialize in business litigation are key to cases involving,

  • Former employee theft of intellectual property
  • Enforcement of non-competition agreements
  • Sexual harassment claims
  • Embezzlement
  • Financial fraud
  • Legal malpractice
  • Bankruptcy


Employment disputes can vary in scope, but most often call for the computer forensic expert witness. Litigation concerning wrongful termination, employment agreements, discrimination in the workplace, non-disclosure agreements, non-compliance agreements, and misappropriated trade secrets benefit directly from these expert witnesses’ ability to locate, gather, and present evidence mined from the devices inherent to any business. In such cases, electronic communications often contain evidence of activities or materials that violate terms of employment.

Case Example: Nucor Corp. v. Bell, 2008 WL 4442571

The plaintiff, a steel mill, filed suit against its former general manager and his new employer steel company, alleging that the defendants had misappropriated trade secrets belonging to the plaintiff steel mill and planned on using that information to compete with the plaintiff. When the plaintiff reviewed defendants’ computers for evidence of misappropriation, however, the plaintiff found only blocks of zeros.

The plaintiff then alleged that defendants had negligently or intentionally destroyed evidence, constituting spoliation of evidence. A computer forensic expert witness supported this allegation. Testifying that defendants had “wiped” their devices clean of data by overwriting that data with zeros, intentionally spoiling evidence.

However, the defendants countered with their own computer forensic expert. He testified that he also examined the computers and found no evidence that any “wiping” had taken place.

Both parties moved to exclude the testimony of the other’s expert. After extensive review of both experts’ qualifications and methods of analysis, the court excluded the plaintiff’s expert testimony.

The plaintiff’s computer expert could not state to a reasonable degree of scientific certainty that the computers were capable of wiping its data clean, and did not conduct any tests to determine this fact. The defendants’ expert, however, was deemed reliable, his methodology and opinions up to the standard of experts in the computer forensics field.

Divorce: Infidelity, Alimony, Debt

Divorce proceedings often involve issues concerning alimony, infidelity, distribution of marital property, division of debt, and child custody and support. Electronic financial records and communications can prove important information to a trier of fact concerning these issues. Metadata or cell phone tracking data can be collected and analyzed to establish the whereabouts of a device’s user at a certain time; recovered electronic communications can point to relationships between parties; financial records stored on a party’s computer may reveal their financial status, debt, capacity for child support; Internet browsing logs can produce a timeline of activity for a trier of fact. Computer forensic experts who specialize in divorce litigation are uniquely equipped to collect data stored on devices belonging to the parties involved.

Hacking: Internet Security

Computer users stock their systems with anti-virus software and firewalls to ward off many types of cybercrime. Still, hackers often devise ways to circumvent these countermeasures and access sensitive information. Computer forensic experts specialize in detecting these criminal break-ins, assessing the damage, mapping what was taken, and collecting evidence of the criminal activity that is admissible in court.

Cyberbullying: Abuse, Stalking, Trolling

Threats or abuse inflicted via electronic communication constitute cyberbullying, also called cyberharassment or cyberstalking. Every U.S. state has either enacted new laws concerning these crimes, or has recast traditional harassment and abuse laws to include elements of their cyber counterparts. Cyberbullying can occur over email, social media (where it is often referred to as “trolling”), instant messaging, or discussion group communications. Individuals who use the Internet to track or locate others may be termed cyberstalkers. Cybercriminals rely on the Internet’s perceived anonymity; computer forensic experts pull back that veil, uncovering the data traces cyber criminals leave behind, identifying the perpetrators, and providing evidence to the trier of fact.

Recently, Michelle Chapman, 24, of Par, Cornwall (England) became the first person to be jailed for cyberbullying herself on Facebook. Over a number of months, Chapman complained to the police about abusive Facebook messages she was receiving from a number of family members. After viewing the offensive messages, police arrested Chapman’s stepmother and issued warnings to her father and other family members. Chapman’s family denied any knowledge of the abusive Facebook profiles that displayed their names and photos.

Computer forensic experts analyzed the communications and profiles. They revealed that Chapman had created the offending profiles herself, uploading pictures and information about her family members onto Facebook. She had sent hundreds of abusive messages from the fake accounts to her own Facebook profile over a number of months, then complained to the police.

The key to their investigation, the experts said, was their discovery that all of the offending Facebook profiles had been created in Chapman’s own home. Chapman was sentenced to twenty months in prison and has been barred from having any computer access during her sentence.

Case Example: Portuguez v. Espiritu, 2014 WL 261327

The plaintiff sought a restraining order against the defendant, a former boyfriend. She alleged that the defendant sent her threatening text messages, changed the passwords on her email and other Internet accounts, accessed her cell phone and sent offensive text messages to third parties while impersonating her, physically abused and cyberbullied her, attempted to track her cell phone, and threatened to kill her. The plaintiff further testified that she transferred to a different high school to avoid the defendant’s abuse. The defendant denied all of the plaintiff’s allegations.

The plaintiff called a computer forensic expert to testify on her behalf. The expert provided detailed information on the capabilities of the parties’ cell phones and computers. Explaining how the defendant could easily have accessed the plaintiff’s cell phone and computer information remotely, and sent text messages that appeared to have been sent from the plaintiff’s cell phone.

Based on the expert’s testimony, the court decided it proper to infer that the defendant had cyberimpersonated plaintiff in order to threaten her, sent her obscene and abusive text messages, and disrupted the plaintiff’s private Internet accounts by changing their passwords on multiple occasions. All of which ultimately forced her to change schools.

Holding that this “socially unacceptable course of conduct would have seriously alarmed, annoyed, or harassed a reasonable person, and would have caused a reasonable person to suffer substantial emotional distress,” the court issued plaintiff’s restraining order against defendant.

Violent Crimes, Illegal Materials

Crimes involving physical violence or the possession of illegal materials require a computer forensic expert to map an individual’s computer activity for the dates and time period associated with an investigation. Internet search terms recorded by a computer can provide convincing evidence to a trier of fact. Computer forensic experts often work in tandem with police and investigators to perform such analysis.

For example, in a murder trial, a forensic computer examiner can unearth whether the accused conducted any suspicious Internet searches before the victim was killed. Such web activity may include searches for information about the victim and searches for the murder weapon. As well as keyword searches such as “best place to hit head,” “how hard to hit someone to knock them out,” and “how to hit someone in the back of head with a hammer.”

Computer forensics can also exonerate innocent individuals. The Washington County attorney’s office recently decided not to charge a former Hugo, Washington priest after forensic computer experts combed his computer and found no pornography involving children. The priest, Rev. Jonathan Shelley, had given his old computer and hard drive to a parishioner, who planned on giving it to his children. However, the parishioner discovered 1,303 pornographic images on the hard drive, many of which he believed included children.

A computer forensic expert witness collected the materials and submitted them to the National Center for Missing and Exploited Children and the Minnesota Internet Crimes against Children Taskforce. Both organizations maintain databases of known child exploitation materials and compare their materials to possible child pornography materials submitted to them. They then ascertain whether the suspect materials do in fact represent children.

The forensic investigation, police investigators and the Washington County attorney’s office concluded that no minors appeared in the pornography recovered. As a result, no charges were brought against the priest.

About The Author

Jacob Weis, J.D., is a legal advisor, FinTech consultant, and journalist who specializes in technology transactions, SaaS, cryptocurrency, encryption, privacy, data security, E-discovery, employment and confidentiality agreements, and information governance.